Skip to content

Flare solution 3.1.0 #3

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
ireydiak wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Flare solution 3.1.0 #3

ireydiak wants to merge 1 commit into from

Conversation

@ireydiak
Copy link

@ireydiak ireydiak commented Dec 15, 2025
edited
Loading

Change(s):

  • Created a Push Connector
  • Removed deprecated Rest API Connector; the Push Connector should be used instead.
  • Created new DCR, Polling, and Connection Details configs for new Push Connector.
  • Created table definition for new table FireworkV2_CL.
  • Deprecated Firework_CL table; FireworkV2_CL should be used instead.
  • Updated Analytic Rules to use FireworkV2_CL.
  • Updated WorkBooks to use FireworkV2_CL.

Reason for Change(s):

  • The Rest API connector is deprecated and a new Push Connector was recommended by Microsoft.
  • The previous data model was dynamic; defining a table schema will help maintaining this Solution on the long term and provide better visibility.

Version Updated:

  • Yes
  • Analytic Rule templates are required to have the version updated.
  • Updated Analytic Rule versions from 1.0.1 to 2.0.0.

Testing Completed:

  • Tested the new Solution on both an existing and new workspaces. This testing includes:
    • Analytic Rules
    • WorkBooks
    • Connectors
    • Logs

Checked that the validations are passing and have addressed any issues that are present:

  • yes

@ireydiak ireydiak self-assigned this Dec 15, 2025
@ireydiak ireydiak force-pushed the ireydiak-flare/flare-solution-cff-connector branch 2 times, most recently from a5fc45e to cc32b42 Compare December 16, 2025 21:37
flare solution 3.1.0
ab7bb41 
- replaced Rest API collector with CCF collector
- new Table definition
- new DCR for CFF collector
- new Polling configuration for CFF collector
@ireydiak ireydiak force-pushed the ireydiak-flare/flare-solution-cff-connector branch from cc32b42 to ab7bb41 Compare December 16, 2025 21:46
@ireydiak ireydiak marked this pull request as ready for review December 16, 2025 21:48
@ireydiak ireydiak changed the title WIP: flare solution 3.1.0 Flare solution 3.1.0 Dec 16, 2025
xvaier
xvaier reviewed Dec 17, 2025
View reviewed changes
Copy link

@xvaier xvaier left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A good idea would be to have Mike try to install it to see if it's easy to do.

Solutions/Flare/ReleaseNotes.md

| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
| ----------- | ------------------------------ | ------------------------------------------------------------------------- |
| 3.1.0 | 15-12-2024 | New CFF connector that replaces deprecated Rest API connector. |
Copy link

@xvaier xvaier Dec 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The dates don't match here.

Solutions/Flare/Workbooks/FlareSystemsFireworkOverview.json
"content": {
"version": "KqlItem/1.0",
"query": "Firework_CL\n| make-series num=count() on timestamp_t from ago(30d) to now() step 8h by strcat(\"Risk Score \", tostring(toint(risk_score_d)))\n| render timechart ",
"query": "FireworkV2_CL\n| make-series num=count() on timestamp_t from ago(30d) to now() step 8h by strcat(\"Risk Score \", tostring(toint(risk_score_d)))\n| render timechart ",
Copy link

@xvaier xvaier Dec 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we could rename this Flare_CL.

Firework used to be the public facing name for the Flare frontend, but it's not used that much anymore externally.

Solutions/Flare/Package/mainTemplate.json
Copy link

@xvaier xvaier Dec 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I assume this is a generated file from the other ones?

Solutions/Flare/Analytic Rules/FlareCloudBucket.yaml
| where source_s contains "Grayhat_warfare" and (risk_score_d == "3" or risk_score_d == "4" or risk_score_d == "5")
version: 1.0.1
kind: Scheduled
version: 2.0.0
Copy link

@xvaier xvaier Dec 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is the versioning of the analytics rules separate from the package version?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@xvaier xvaier xvaier left review comments

Assignees

@ireydiak ireydiak

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@ireydiak @xvaier